| Message ID | b8948d9a-65bc-4f3f-aa90-60addd064819@moroto.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/4] media: mediatek: vcodec: fix potential double free | expand |
Hi, Le mercredi 14 juin 2023 à 16:06 +0300, Dan Carpenter a écrit : > If we encounter any error in the vdec_msg_queue_init() then we need > to set "msg_queue->wdma_addr.size = 0;". Normally, this is done > inside the vdec_msg_queue_deinit() function. However, if the > first call to allocate &msg_queue->wdma_addr fails, then the > vdec_msg_queue_deinit() function is a no-op. For that situation, just > set the size to zero explicitly and return. > > There were two other error paths which did not clean up before returning. > Change those error paths to goto mem_alloc_err. > > Fixes: b199fe46f35c ("media: mtk-vcodec: Add msg queue feature for lat and core architecture") > Fixes: 2f5d0aef37c6 ("media: mediatek: vcodec: support stateless AV1 decoder") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> This change looks good to me, thanks again for your work. Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> > --- > drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c > index 92ac82eb444e..be25d56712d8 100644 > --- a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c > +++ b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c > @@ -307,6 +307,7 @@ int vdec_msg_queue_init(struct vdec_msg_queue *msg_queue, > err = mtk_vcodec_mem_alloc(ctx, &msg_queue->wdma_addr); > if (err) { > mtk_v4l2_err("failed to allocate wdma_addr buf"); > + msg_queue->wdma_addr.size = 0; > return -ENOMEM; > } > msg_queue->wdma_rptr_addr = msg_queue->wdma_addr.dma_addr; > @@ -338,14 +339,14 @@ int vdec_msg_queue_init(struct vdec_msg_queue *msg_queue, > err = mtk_vcodec_mem_alloc(ctx, &lat_buf->rd_mv_addr); > if (err) { > mtk_v4l2_err("failed to allocate rd_mv_addr buf[%d]", i); > - return -ENOMEM; > + goto mem_alloc_err; > } > > lat_buf->tile_addr.size = VDEC_LAT_TILE_SZ; > err = mtk_vcodec_mem_alloc(ctx, &lat_buf->tile_addr); > if (err) { > mtk_v4l2_err("failed to allocate tile_addr buf[%d]", i); > - return -ENOMEM; > + goto mem_alloc_err; > } > } >
diff --git a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c index 92ac82eb444e..be25d56712d8 100644 --- a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c +++ b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c @@ -307,6 +307,7 @@ int vdec_msg_queue_init(struct vdec_msg_queue *msg_queue, err = mtk_vcodec_mem_alloc(ctx, &msg_queue->wdma_addr); if (err) { mtk_v4l2_err("failed to allocate wdma_addr buf"); + msg_queue->wdma_addr.size = 0; return -ENOMEM; } msg_queue->wdma_rptr_addr = msg_queue->wdma_addr.dma_addr; @@ -338,14 +339,14 @@ int vdec_msg_queue_init(struct vdec_msg_queue *msg_queue, err = mtk_vcodec_mem_alloc(ctx, &lat_buf->rd_mv_addr); if (err) { mtk_v4l2_err("failed to allocate rd_mv_addr buf[%d]", i); - return -ENOMEM; + goto mem_alloc_err; } lat_buf->tile_addr.size = VDEC_LAT_TILE_SZ; err = mtk_vcodec_mem_alloc(ctx, &lat_buf->tile_addr); if (err) { mtk_v4l2_err("failed to allocate tile_addr buf[%d]", i); - return -ENOMEM; + goto mem_alloc_err; } }
If we encounter any error in the vdec_msg_queue_init() then we need to set "msg_queue->wdma_addr.size = 0;". Normally, this is done inside the vdec_msg_queue_deinit() function. However, if the first call to allocate &msg_queue->wdma_addr fails, then the vdec_msg_queue_deinit() function is a no-op. For that situation, just set the size to zero explicitly and return. There were two other error paths which did not clean up before returning. Change those error paths to goto mem_alloc_err. Fixes: b199fe46f35c ("media: mtk-vcodec: Add msg queue feature for lat and core architecture") Fixes: 2f5d0aef37c6 ("media: mediatek: vcodec: support stateless AV1 decoder") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)